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Information Commissioner’s Office 


Communicating our Regulatory and 
Enforcement Activity Policy 


1 Introduction 
We aim to be an effective, open and transparent regulator. 


When it’s right to do so, we publicise the details of our regulatory work. 
This helps us achieve our strategic aims, which include: 


e upholding information rights; 
e promoting openness by public bodies; and 
e protecting data privacy for individuals. 


Publicity helps to raise confidence in - and awareness of - our work to 
promote good practice and deter those who may be thinking of breaching 
information rights legislation. 


When asked about our regulatory work, we want to be as open as 
possible. We will withhold information only if: 


e we can identify a genuine likely prejudice to our or our partners’ 
regulatory or law enforcement activities; or 
e sharing information would be unlawful. 


We must be confident of the legality of - and public interest in - the 
information we publicise about our regulatory work and those we 
regulate. This policy aims to help all ICO departments act consistently 
when making decisions about publication and publicity. 


The policy applies to publication, publicity or disclosure of information 
across the full range of our regulatory work, including at various stages 
before a final outcome is reached. 


The policy talks about three types of communication: 


e Disclosure - reactive communication in response to some form of 
request. 

e Publication - proactively presenting information on our website. 

e Publicity - proactive communication, typically through press 
releases, social media, blogs or contact with journalists. 
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The policy will help us operate effectively, enabling us to communicate 
with a focus, direction and confidence that provides maximum impact and 
effect. It aligns with both our Regulatory Action Policy and our Publication 
Scheme. 


2 Understanding our legal boundaries and prejudice to our 
regulatory work 


All parts of the ICO are engaged in regulatory work of some kind. 
Regulatory work includes: 


e action that results in us serving an official, public notice on an 
organisation; 

e action to empower, educate and influence those we regulate to 
improve their information rights practice; and 

e reports or analysis about concerns and notifications submitted to us 
which will support our transparency agenda. 


Our work will often attract interest from the public, media and other 
parties. We may also proactively publish details of our work and its 
outcomes, including information which allows citizens to protect 
themselves and which promotes learning among organisations. 


We must always obey the statutory prohibition against sharing certain 
information we obtain or receive, in the course of our duties, about those 
we regulate. 


This prohibition (s.132 of the Data Protection Act 2018 (DPA 2018)) says 
we must meet at least one of the following criteria otherwise we commit a 
criminal offence by disclosing information about those we regulate not 
already in the public domain: 


e We have the consent of the individual or organisation to make the 
disclosure. 

e We have been given the information to share it with the public as 
required by the DPA 2018 or the Freedom of Information Act 2000 
(FOIA). 

e The disclosure is necessary to discharge our functions under the 
DPA 2018, FOIA or any EU obligations. 

e The disclosure is necessary as part of civil or criminal proceedings 
under the DPA 2018 or FOIA. 

e The disclosure is necessary in the public interest. 


A full copy of s.132 is available here: 
http://www. legislation.gov.uk/ukpga/2018/12/section/132/2018-05-23 
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Once satisfied that we have a legal basis to publish or disclose the 
information, we must also be content that were we to do so, we would not 
prejudice our own work as a regulator or that of others we may be 
working alongside. 


Communicating information about our work may include: 


e confirming we are investigating an issue or engaging with a 
particular organisation to discuss their current or future information 
rights practice and compliance; 

e updating on the progress or outcome of our most formal regulatory 
work, which would typically result in a notice, report or decision 
being issued or served on a particular organisation and published on 
our website; or 

e updating on the progress or outcome of our more informal 
investigations or information rights practice discussions. 


If our work to consider a particular matter or issue is not yet complete, 
there may be limits to how open and transparent we can be without 
prejudicing our regulatory work. It is also important that organisations 
should feel confident they can discuss certain matters with us in 
confidence, where this is appropriate. 


When engaging with those we regulate, we should: 


e take the opportunity to make them aware of our status as a public 
authority subject to FOIA; 

e draw their attention to this policy for more information about our 
approach to publishing and publicising our regulatory work; and 

e encourage them to highlight to us any information they provide 
which they consider confidential. 


We will take their views into account when deciding whether publishing 
information about our regulatory work is in the public interest or may 
prejudice that work. Nevertheless, our priority is always to work to 
improve information rights practice and compliance among those we 
regulate. This will be our primary focus when deciding whether to publish 
information about our regulatory work. 


We will take into account the following things when deciding whether 
publishing or publicising our regulatory work is in the public interest or 
likely to prejudice that work. 


Factors in favour of publishing or publicising: 


e Itis an opportunity for education or to prevent a breach of the law. 
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The issue is new or ground-breaking and therefore particularly 
noteworthy. 

The issue meets an ICO communications, corporate or information 
rights objective. 

It would help or would not prejudice an investigation. 

It is likely to deter others. 

There is a reputational risk to public confidence in the ICO if we do 
not publish or publicise. 

The issue or our involvement is already in the public domain. 
Publication would help clarify our involvement or the facts of the 
matter. 

It would demonstrate an improvement to information rights 
practice. 

There are financial market reporting obligations. 

We are working with others and it is likely that the information will 
be shared widely in any event. 


Factors preventing or deterring publishing or publicising: 


It could prejudice a trial or other legal proceedings. 

An investigation is under way that could be hindered by publicity, or 
the investigation may come to nothing. 

It would include personal or highly commercially- sensitive 
information and it would be unfair to put it into the public domain. 
If an organisation has a legitimate expectation that its contact with 
the ICO would not be published or publicised, for example under 
exceptional circumstances where an organisation has been given an 
express assurance by the ICO. 

There are financial market reporting obligations. 


3 Guiding principles 


Principle one - on publicising or confirming our involvement 


We can become involved with a regulatory matter in a range of ways. We 
may be alerted by a member of the public, a third party or by the 
organisation concerned self-reporting an incident to us. We may also 
begin our own research or involvement in a given issue based on analysis 
of intelligence gathered from a variety of sources. 


Our default position is that there is generally likely to be a legitimate 
public interest in being open about the issues we are considering and the 
organisations involved. Genuine prejudice to our regulatory activity is also 
unlikely for most of our civil or informal work. We would not typically 
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provide a running commentary on our investigations or discuss our 
progress, but we would generally be content for it to be known that we 
were investigating a matter or incident with a commitment to share 
appropriate information about the outcome, once it is known. 


We would consider not sharing this kind of information if we felt it would 
be likely to prejudice our consideration or investigation. We may also 
choose not to share this information if we believe any of the organisations 
or stakeholders involved have a legitimate expectation of confidentiality, 
either at that particular stage of the regulatory process or more generally. 


Principle two - on formal regulatory outcomes 


By ‘formal regulatory outcomes' we mean those where we serve or issue 
some form of notice, reprimand, recommendation or report following our 
regulatory work. Our default position is that we will publish (and, where 
appropriate, publicise) all formal regulatory work, including significant 
decisions and investigations, once the outcome is reached. 


Regulators, stakeholders and individuals say they want to see us taking 

formal regulatory action where it is warranted: it is one of the criteria by 
which they judge how far to have confidence in the ICO. The best way of 
fostering this confidence is by being as open and transparent as possible. 


Principle three - on informal regulatory activity 


By ‘informal activity’ we mean our work that does not result in serving 
formal notices, reports or decisions. This typically sees us discussing, 
educating, negotiating or influencing standards of information rights 
practice and compliance with those we regulate in an effort to promote 
good practice. 


There is an important balance to be struck here. We know there is often 
an interest from the public in understanding our involvement with a given 
matter or issue. Often, it is also in our own interests to be open about our 
work even if it does not result in formal regulatory action. Many positive 
and significant improvements to information rights practice are achieved 
informally. 


However, we also recognise that some informal engagement with our 
stakeholders is only possible because an appropriate degree of 
confidentiality is in place. 


It is important that we make our decisions on a case-by-case basis when 
striking a proportionate balance between open and transparent regulation 
and stakeholder expectations. 
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Principle four - on informing, consulting or seeking consent 


Depending on how formal our regulatory activity is, and the type of 
information involved, it may be appropriate for us to inform, consult or 
seek the consent of the organisations named in our communication before 
publishing it. 


Stakeholders want us to have good relationships with them. We need to 
ensure these are based on a mutual understanding that we will use the 
full range of our regulatory options as appropriate. 


We will not risk damaging confidence in the ICO by agreeing with an 
organisation that we won’t publicise our formal action against it or that 
we will give advance warning. As an independent regulator, we need not 
contact the press office of an organisation we are taking formal action 
against before issuing a press release. Also, we need not proactively 
share the content of releases with organisations or tell them the likely 
issue date. 


4 Governance and authority 


While this document sets out in general terms how we intend to 
communicate our regulatory work, we recognise that different cases may 
need different approaches. If decisions on publicising information about 
our regulatory work are not routine, they can be escalated to the most 
relevant Director or Executive Director. 


In some investigations, we may be working alongside other regulators. If 
so, we will liaise with them to discuss and agree an approach to 
communications. We may publicise information from other regulators’ 
investigations as part of our communications work. 


5 Practical examples of communicating our regulatory activities 


The following are some examples of our typical regulatory activity and our 
usual approach to making them public. 


Self-reported incidents and concerns reported to us 


e If asked, we would typically confirm we are looking into a particular 
matter about a named organisation. We would provide only basic 
information about the concern to avoid prejudicing our 
consideration of it. 

e We would provide a statistical summary of concerns submitted to us 
either in response to information requests or as part of any planned 
publication. 
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e We would publicise any trends or themes that are particularly 
noteworthy. 


Action after incidents are reported and concerns raised 


e We may publish or publicise information highlighting practice 
improvements in information rights after complaints and incidents 
are reported to us. 

e This will include naming organisations if the public interest warrants 
it. 

Whistle- blowers 


e We will publish annual figures on reports made to us by whistle- 
blowers in line with the Prescribed Persons (Reports on Disclosures 
of Information) Regulations 2017. 

e The report will not contain any information that would identify 
individual whistle-blowers or their employers, including ex- 
employers. 


Criminal investigations 


e We will not usually publish anything about ongoing criminal 
investigations until these are concluded, but may confirm we are 
investigating. 

e We would consider publishing limited information during an 
investigation if: 


e knowledge of it was already in the public domain, and 
e further communication would be considered likely to further 
our investigatory or regulatory aims. 


e We will take into account our obligations under any relevant codes 
of practice such as the Victims Code of Practice. 

e We may publicise details once we have reached an outcome or key 
decision point and if we regard the matter as noteworthy. 


Search warrants 


e We will publish details in our Annual Report to Parliament, which is 
also published on our website. 

e We will publicise details, subject to the considerations above 
regarding criminal investigations. 

e We are likely to publicise if the fact that we are investigating the 
matter is already in the public domain. 

e Weare likely to publicise if there is an expectation of an update or 
we need to show we have taken action. 
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e We may publicise if it helps our investigation. 
Cautions 

e We may publicise cautions if they are noteworthy. 
Prosecutions 


e We will publish these on our website. 

e We will report on prosecutions in our Annual Report to Parliament. 
e We may inform journalists in advance. 

e We will adhere to current reporting rules. 

e We may issue a news release. 

e In some cases we will provide the case summary to a journalist. 


Civil investigations 


e Generally, we are content to confirm we are investigating or 
considering a particular civil matter. 

e We will not provide a commentary as our work progressed unless 
we feel public privacy or information rights are at risk or we wish to 
deter similar practices to those being investigated. 

e We will provide basic details of the outcome in statistical reports. 

e We may provide a more detailed case study once the matter is 
concluded if it provides a good example of improvement to 
information rights practice. 

e We may publicise it if we feel the issue is particularly noteworthy. 


Information notices, urgent information notices, or court orders 
for compliance with an information notice 


e We are likely to publicise if it is in the public domain. 

e We are likely to publicise if there is an expectation of an update or 
we need to show we have taken action. 

e We may publicise if it helps our investigation. 


Warnings and reprimands 


e We will publicise these if it will help promote good practice or deter 
non-compliance. 


Preliminary enforcement notices and notices of intent 


We will not routinely publish or publicise preliminary notices or notices of 
intent. However, we may do so if: 


e there is an overriding public interest; 
e all parties agree; 
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e the matter is already in the public domain; 

e there are financial market reporting obligations; 

e it is necessary for the purposes of international regulatory co- 
operation; or 

e if publicising information allows for improved public protection from 
threat. 


Any communication will make clear that the notice is preliminary and 
subject to a final decision after representations. 


Enforcement notices and urgent enforcement notices 


e We will publish these on our website. 
e We will publicise these if to do so will help promote good practice or 
deter non-compliance. 


S.159 Consumer Credit Act 1974 orders 
e We may publicise these depending on noteworthiness. 
Penalty notices 


e We will publish these on our website. 
e We will publicise the serving of a monetary penalty if doing so will 
help promote good practice or deter non-compliance. 


Fixed penalty notices 


e We will publish the names of organisations issued with a fixed 
penalty for not paying the data protection fee. 

e We will publicise where doing so will help promote good practice 
and deter non-compliance 


Consensual audits and advisory visits 


e We will publish the names of organisations that have received an 
audit or advisory visit from us. We will publish an executive 
summary of the audit findings. 

e We will publicise these events if doing so will help promote good 
practice or deter non-compliance. 


Assessment notices, urgent and no-notice assessment notices 


e Weare likely to publicise if these are in the public domain. 

e Weare likely to publicise if there is an expectation of an update or 
we need to show we have taken action. 

e We may publicise if it would help the assessment. 
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FOIA decision notices 


e We will publish these on our website unless doing so would unfairly 
disclose personal information or prejudice related legal proceedings. 

e We will publicise these depending on the public interest. 

e We are likely to publicise these if there is an expectation of an 
update or we need to show we have taken action. 


FOIA practice recommendations 
e We will publicise these, depending on the public interest. 
S.47 FOIA assessments 


e We may publicise these depending on the public interest (and 
depending on whether it is subject to a confidentiality agreement or 
whether we have the organisation’s agreement). 


e We will consult the National Archives or the Deputy Keeper of the 
Records for Northern Ireland (or both) if the matter relates to 
records management. 


Liaison and practice improvement discussions 


We may choose to publish or publicise details of our engagement with an 
organisation, or group of organisations, if there is a public interest in 
doing so and it would not prejudice our regulatory function. 


e When deciding if there is a public interest in publishing or 
publicising details of our work with them, we will always consider if 
an organisation has a legitimate expectation of confidentiality. 


Compliance and monitoring 


e We will publicise the names of public bodies we are monitoring for 
the purposes of assessing compliance with DPA, s.10 FOIA, r.5 
Environmental Information Regulations or internal reviews on a 
quarterly basis. 

e We may also publicise the names of public bodies that have been 
brought to our attention as a result of other types of poor practice. 


6 Likely tools for communicating regulatory activities 


This is not an exclusive or exhaustive list, but gives a good indication of 
the ways we might choose to publicise ICO regulatory activities. The 
Communications team, in consultation with colleagues in relevant 
departments, will decide which to choose in each case: 
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e journalists’ briefings; 

e news releases; 

e website and internet; 

e Annual Report to Parliament; 
e e-newsletter; 


e blogs; 
e social media, eg Twitter; 
e letters; 


e briefings to stakeholder groups; 

e special reports to Parliament (on the decision of the Commissioner); 
e thematic or ‘improving practice’ reports; and 

e investigation updates. 
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